Authentication failed - Bad credentials in grails spring security

0
votes

I have created my users and roles in Bootstrap.groovy.

def user = new User(username:"name", password:"pass",email:"[email protected]",enabled:true).save()

I have checked the usernames and passwords for each one directly in the database. I have even removed the encoding for testing purposes. However, I get this when I try to login (there is some additional logging added by me)

2014-01-27 22:49:04,480 [http-bio-8090-exec-3] DEBUG filter.GrailsAnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: '{0}' 2014-01-27 22:49:04,480 [http-bio-8090-exec-4] DEBUG filter.GrailsAnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: '{0}' 2014-01-27 23:06:19,654 [http-bio-8090-exec-7] DEBUG filter.GrailsAnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: '{0}' 2014-01-27 23:06:19,833 [http-bio-8090-exec-8] DEBUG filter.GrailsAnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: '{0}' authentication grails.plugin.springsecurity.authentication.GrailsAnonymousAuthenticationToken@dc4a600: Principal: org.springframework.security.core.userdetails.User@dc730200: Username: grails.anonymous.user; Password: [PROTECTED]; Enabled: false; AccountNonExpired: false; credentialsNonExpired: false; AccountNonLocked: false; Granted Authorities: ROLE_ANONYMOUS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 951C58071D49B3E3AB6D55C158C46B43; Granted Authorities: ROLE_ANONYMOUS is NOT logged in 2014-01-27 23:06:29,147 [http-bio-8090-exec-9] DEBUG authentication.RequestHolderAuthenticationFilter - Request is to process authentication 2014-01-27 23:06:30,115 [http-bio-8090-exec-9] DEBUG authentication.RequestHolderAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials 2014-01-27 23:06:30,115 [http-bio-8090-exec-9] DEBUG authentication.RequestHolderAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication 2014-01-27 23:06:30,115 [http-bio-8090-exec-9] DEBUG authentication.RequestHolderAuthenticationFilter - Delegating to authentication failure handler grails.plugin.springsecurity.web.authentication.AjaxAwareAuthenticationFailureHandler@df9533 2014-01-27 23:06:30,116 [http-bio-8090-exec-9] DEBUG authentication.AjaxAwareAuthenticationFailureHandler - Redirecting to /login/authfail?login_error=1 2014-01-27 23:06:30,165 [http-bio-8090-exec-10] DEBUG filter.GrailsAnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: '{0}' authentication failed!!!! 2014-01-27 23:06:30,235 [http-bio-8090-exec-10] DEBUG filter.GrailsAnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: '{0}' authentication grails.plugin.springsecurity.authentication.GrailsAnonymousAuthenticationToken@dc4a600: Principal: org.springframework.security.core.userdetails.User@dc730200: Username: grails.anonymous.user; Password: [PROTECTED]; Enabled: false; AccountNonExpired: false; credentialsNonExpired: false; AccountNonLocked: false; Granted Authorities: ROLE_ANONYMOUS; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: 127.0.0.1; SessionId: 951C58071D49B3E3AB6D55C158C46B43; Granted Authorities: ROLE_ANONYMOUS is NOT logged in

What do you understand from this stacktrace please? If any more information is needed, I would provide it with no hesitation :)

From what I see in the logs, when I try to login with the administrator user which I have created and verified in the database, spring security is trying to log in with the anonymous user who has no access to these pages Here is some more spring security config 

    grails.plugin.springsecurity.controllerAnnotations.staticRules = [
]
grails.plugin.springsecurity.interceptUrlMap = [
    '/candidate/*': ['ROLE_ADMIN'],

 ]
1
grailsspring-security
This line: Enabled: false; AccountNonExpired: false; credentialsNonExpired: false; AccountNonLocked: false Could it be possible you are trying to test with a disabled account? - Emmanuel John
Maybe, what should I do to verify? - The Strong Programmer

1 Answers

1
votes

Not much to go on here :) All it's saying is that the password is bad.

Since you didn't mention that this is an upgrade from 1.2.x of the plugin to 2.x it shouldn't be that there's a configuration issue. If it were that and you didn't make any config changes, you would have old passwords hashed with SHA-256 but would be comparing them with bcrypt-hashed passwords. Also, even if you configured it to use SHA-256, the number of number of hash iterations changed from 1 to 10000, so you'd need grails.plugin.springsecurity.password.hash.iterations = 1 in Config.groovy.

So I'm going to guess that you're explicitly hashing the password in BootStrap.groovy, e.g.

def user = new User(username: 'me', enabled: true, password: springSecurityService.encodePassword('super_secret')).save()

But the generated user class auto-hashes for you, so this hashes twice. If you're doing that, change the BootStrap code to

def user = new User(username: 'me', enabled: true, password: 'super_secret').save()